AnsweredAssumed Answered

How to triage Vulnerability Management Tickets?

Question asked by Steven Campbell on May 13, 2017
Latest reply on Aug 11, 2017 by J H

Essentially what I need is a way to group tickets in "buckets" and I need to prioritize those assets that are exposed to the internet (asset group or dynamic tag) that have a remotely exploitable severity 5 vulnerability with exploit code available (Remediation Policy) as a "P1", then lesser criteria as a P2, etc. in order to fit tickets into a remediation procedure and workflow.

 

In Qualys I can't search Remediation tickets based on the policy criteria like Severity 5, Remotely Exploitable, Exploit Code Available. Once a ticket gets assigned I don't have any way to triage them based on Asset Group, Tag, etc.

 

Remediation Policies can select those criteria to decide if a ticket should be created, who to assign a ticket to, time to close ticket, etc, but once that ticket is assigned to me I can't sort or search my tickets based on those criteria. I get all of them assigned in one big bucket and I can search those by severity, IP address, hostname, QID etc, but I lose ability to sort/search them by criteria such as Exploitability, Asset Group, etc. Once those tickets with a Remediation Policy like "External Asset Group, Severity 5, Remote, with Exploit Code Available" gets assigned to me, how do I triage and distinguish it from tickets assigned to me by a policy like "Internal Asset Group, Severity 5, Authenticated, No Exploit Code Available"?

 

I can see that it's possible to search on those criteria in Asset View, but that results in a list of assets with multiple vulnerabilities each. I don't want a list of assets, I want a list of triaged vulnerability tickets. Qualys allows me to search for these vulnerabilities in Asset View, but in the Vulnerability Management piece where you view vulnerability tickets, I can't search based on the criteria I listed above. Once a policy that searches for vulnerabilities like "External Asset Group, Severity 5, Remote, with Exploit Code Available" assigns ticket to a user, all of their tickets are in one big bucket and I lose the ability to distinguish between those tickets with those criteria and others.

 

If it makes any difference, we will be integrating Qualys with ServiceNow. If you have experience with Qualys and ServiceNow Security Operations Module and know that these products together can do what I'm looking for, I'd be interested to hear about your experiences with them.

Outcomes